Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Performance Audit relating
to
Power Sector PSUs
Highlights
The process of migration of consumer data from Power Computerised Billing
System (CBS) to SAP was not documented. The Company did not provide
any formal training to its regular staff, being the intended System Users.
(Paragraph 2.7 and 2.9)
Deficiencies in the Meter Billing Collection (MBC) and Customer
Relationship Management (CRM) Modules led to various anomalies such as
non-interfacing of the System with Common Meter Reading Instrument
(CMRI), absence of provision for automatic calculation of processing fee,
wrong billing of fixed charges due to incorrect conversion of KW into KVA,
non-updation of Geographical Information System database leading to
overloading of distribution transformers, delay in release of new service
connections due to absence of necessary system alert etc.
(Paragraph 2.11, 2.12, 2.13, 2.16 and 2.17)
Incorrect mapping of business rules as well as lack of adequate validation
checks in the System resulted in excess recovery of power factor penalty,
incorrect billing of fixed/energy charges and wrong categorisation of
consumers leading to allowance of government subsidy to ineligible
consumers, etc.
(Paragraph 2.20, 2.21 and 2.22)
Lack of adequate application controls in the System resulted in acceptance of
unusual meter numbers, processing of unusual transactions, duplicate
generation of bills, etc.
(Paragraph 2.25, 2.28 and 2.30)
Performance Audit on Computerised Electricity Billing System in Assam
Power Distribution Company Limited
CHAPTER II
PERFORMANCE AUDIT RELATING TO POWER SECTOR PSUS
Audit Report (PSUs) for the year ended 31 March 2018
30
Introduction
2.1 Assam Power Distribution Company Limited (Company) which
undertakes distribution of electricity in the State was formed (23 October 2009)
after the unbundling of the erstwhile Assam State Electricity Board. As on 31
March 2018, the Company had 43.28 lakh consumers comprising of two broad
categories, namely low-tension (LT1) and high-tension (HT
2) consumers. The LT
and HT consumers were being billed under 158 Electrical Sub-Divisions (ESDs)
and 17 industrial revenue collection areas (IRCAs) of the Company. All the
consumers (both HT and LT) received power from the sub-stations functioning
under the control of ESDs. The Company billed and collected revenue from
consumers against the electricity supplied as per the Schedule of Tariff (SoT) issued
by the Assam Electricity Regulatory Commission (AERC) from time to time. The
Company was operating with the system of billing and collection of revenue through
the following two billing applications:
• Power Computerised Billing System: It was a decentralized billing
system being used for billing and collection purpose since 2003-04. As on 31
March 2018, around 79.52 per cent (34.42 lakh consumers) of total consumers
were being billed through this application. During 2013-18, the Company billed a
revenue aggregating ` 9,507.42 crore through this application.
• SAP: SAP is a software application in data processing where SAP stands
for System, Application and Products. SAP based billing application was
developed by Tata Consultancy Services (TCS) with Oracle as the database on a
centralised platform comprising of four Modules namely, Meter Billing
Collection (MBC), Customer Relationship Management (CRM), Web Self
Service (WSS) and Energy Audit (EA). The primary database server of SAP
based billing system was located at Data Centre, Guwahati while the Disaster
Recovery Centre (replica of Data Centre) was situated at Agartala. SAP was
introduced (March 2013) after implementation of Restructured Accelerated Power
Development and Reforms Programme (R-APDRP3) of the Government of India
(GoI). The R-APDRP scheme was implemented within the confined area of a town
termed as ‘Ring-fenced area’4. Initially the consumers5 falling within this area
were selected for migration from Power Computerised Billing System (Power
CBS) to SAP and those falling outside the said area continued to be billed through
Power CBS. As HT consumers were the primary source of revenue for the
1 Consumers having connected load below 20 Kilowatt
2 Consumers having connected load of 20 Kilowatt and above
3 R-APDRP is a central sector scheme approved by Ministry of Power, Government of India.
4 An imaginary boundary line demarcated through installation of import/export meters at the
boundary for the purpose of energy audit. 5 Both LT and HT
Chapter II – Performance Audit relating to Power Sector PSUs
31
Company and their migration to SAP ensured centralised monitoring of revenue
billing, all HT consumers were migrated from Power CBS to SAP irrespective of
the fact whether these consumers are covered within or outside the Ring-fenced
area. As on 31 March 2018, the Company had total 8.86 lakh6 consumers (20.48
per cent of total consumers) being billed through SAP. The Company billed a
total revenue of ` 9,041.21 crore during 2013-18 through this application.
The status of billing application used in ESDs and IRCAs as on 31 March 2018
was as shown in Table 2.1.
Table 2.1: Details of usage of Power CBS & SAP
Source: information furnished by the Company
The Company was in the process of migrating all its remaining LT consumers to
SAP. For this purpose, the Company had already prepared (November 2017) a
Detailed Project Report (DPR) while the Request for Proposal (RFP) was under
preparation. After preparation of RFP, the Company would be initiating the
tendering process for migration of LT consumers from Power CBS to SAP.
Organisational Structure
2.2 The organisational structure of the Company dealing with the billing
application has been depicted in the chart below:
6 8.69 lakh LT and 0.17 lakh HT consumers
Billing Units Billing Application
Total Power CBS SAP Power CBS & SAP
Electrical Sub-divisions
(in numbers) 68 17 73 158
Industrial Revenue Collection
Area (in numbers) Nil 17 Nil 17
System implementer:
M/s Tata Consultancy
Services
Nodal Officer, R-APDRP Cell
Assistant General Manager (IT)
Deputy Manager (IT)
Managing Director
Assistant Managers (IT)
Audit Report (PSUs) for the year ended 31 March 2018
32
Scope of Audit
2.3 The present Report covered the audit of the performance of SAP System
during the period from April 2013 to March 2018. As the SAP was a centralized
billing application, the System existing in all ESDs and IRCAs was identical.
Hence, the selection of any ESDs/IRCAs in terms of software application would
not make any difference excepting the verification of Physical, Logical and
Environmental Controls. Considering this, 6 out of 17 ESDs7 and 5 out of 17
IRCAs where SAP was fully implemented were selected for detailed scrutiny for
the present audit. The number of consumers and connected load formed the basis
of selection of samples. The details of the total number of consumers and the
connected load as on 31 March 2018 in respect of selected ESDs and IRCAs have
been shown in Table 2.2.
Table 2.2: Details of consumers/connected load as on 31 March 2018 in respect of
selected ESDs/IRCAs
Sl. No. Name of ESD/IRCA No. of consumers Connected Load (in KW)
1. Jalukbari ESD 27,351 52,454
2. Garbhanga ESD 26,677 74,868
3. Jorhat ESD 25,010 76,413
4. Basistha ESD 22,313 74,893
5. Kalapahar ESD 21,226 55,534
6. Nagaon ESD8 20,628 36,377
7. Guwahati IRCA - I 2,863 3,83,977
8. Jorhat IRCA 1,051 1,47,067
9. Guwahati IRCA - II 1,032 2,51,500
10. Nagaon IRCA 898 1,10,861
11. Tinsukia IRCA 716 1,47,380
Sample 1,49,765 14,11,324
Sample size in per cent 489 5210
Source: Information furnished by the Company
Audit Objectives
2.4 The audit objectives of the present performance audit were to assess
whether:
• appropriate methodology for development and implementation of SAP
was adopted;
7 Out of total 158 ESDs of the Company, SAP system was fully implemented only in 17 ESDs
8 Selected additionally being the pilot project of SAP based billing application.
9 1.5 lakh consumers (Sample) out of total 3.13 lakh consumers in 17 ESDs and 17 IRCAs
10 14.11 lakh KW (sample) out of total connected load of 27.04 lakh KW in 17 ESDs and 17
IRCAs
Chapter II – Performance Audit relating to Power Sector PSUs
33
• desired results were achieved by implementing all the four Modules of the
SAP based billing application;
• the business rules were correctly mapped and the System was customized
in conformity with these rules; and
• adequate controls existed to ensure data integrity and security in the
System so as to maintain business continuity plan.
Audit Criteria
2.5 The audit findings were benchmarked against the criteria derived from the
following sources:
� Electricity Supply Code and Related Matters Regulations (Regulations)
issued by Assam Electricity Regulatory Commission (AERC) from time to time;
� Schedule of Tariff issued by AERC;
� User manual of SAP;
� Letter of Award, Request for proposal, Software requirement
specifications; and
� Information Technology Audit Manual
Audit Methodology
2.6 The Audit methodology adopted for attaining the audit objectives involved
explaining the audit scope, audit objectives, audit criteria etc. to the top
management of the Company in the Entry Conference (11 May 2018). During the
conduct of audit, front-end view, access to portal along with data in excel,
Comma-Separated Values (CSV) and text format of SAP System of the Company
were scrutinized. The bills processed during 2016-17 and 2017-18 were analysed
using software tools namely Interactive Data Extraction and Analysis (IDEA), and
Excel to check integrity (accuracy and completeness), compliance (with rules and
regulations) and reliability of the billing data. Besides, Physical verification of IT
system in selected ESDs/IRCAs was also carried out during the course of audit.
The draft audit report was discussed (20 November 2018) with the representatives
of the GoA, Company and the System Developer (Tata Consultancy Services
Limited) in the Exit Conference. The formal replies (2 November 2018) of the
Company to the draft audit report as well as the views expressed by the
representatives of GoA and the Company in the Exit Conference, have been taken
into consideration while finalising the audit report.
Audit Report (PSUs) for the year ended 31 March 2018
34
Acknowledgement
The Indian Audit and Accounts Department acknowledges the cooperation of the
Government/Company for providing necessary information and records during
the course of the audit.
Audit Findings
General Controls
General controls include controls over Data Centre operations, system software
acquisition and maintenance, access security and application system development
and maintenance. Thus, general controls create the environment in which the
application systems and application controls operate.
Project proposal, planning and documentation
2.7 A feasibility study is essential to determine the viability of implementing
any project taking into account the legal, technical as well as economical aspects.
A proper feasibility study at pre-planning stage tells us whether the intended
project is doable and worth the investment. It was, however, observed that the
Company had not conducted any feasibility study before taking up
computerisation of billing system. It was, further observed that while
implementing the new billing system, the process of migration of consumer data
from Power CBS (old system) to SAP System was not documented. As a result,
the inception process of the project could not be verified by Audit.
Further, for effective monitoring of implementation of any project, a competent
Steering Committee comprising of representatives of the intended Users from all
areas of the business including the IT department was required to be in place. The
future direction in the course of implementation and improvement of system
agreed to by the Steering Committee is normally set out in a document known as
the IT strategic plan. Audit observed that no such Steering Committee was in
existence in the Company to guide the whole process of computerisation of billing
system.
During the Exit Conference (20 November 2018), the Government/Company
accepted the facts and stated that SAP was introduced under R-APDRP and
implemented in other States of the Country as well. Hence, the Company
presumed that SAP system would be feasible to implement. It was further stated
that no major issues as such, were faced by the Company due to non-conducting
of feasibility study. As regards the absence of Steering Committee, it was stated
that the IT Cell monitored the process of computerization. It was further added
that initially there were only two members in IT Cell and as such, the records
Chapter II – Performance Audit relating to Power Sector PSUs
35
relating to formation of IT Cell were not documented properly. At present, the IT
Cell was having about 50 members to monitor the IT process and assist the field
units in their billing related issues.
The contention of the Government/Company for not conducting feasibility study
was not acceptable in view of the fact that the IT system requirements vary from
State to State due to variation in their existing IT setup, applicable Rules,
Regulations etc. As regards non-existence of Steering Committee, the reply itself
indicated that IT cell was not sufficient to monitor the process of computerisation,
which eventually led to improper documentation of various stages of SAP
implementation.
Thus, absence of a proper feasibility study before implementing SAP system as
well as non-documentation of the process of migration of data from Power CBS
to SAP indicated deficient planning of the Company with regard to development
and implementation of SAP System.
Recommendation No.1: The Company should keep proper documentation of the
migration process of data while augmenting the new System to the left out LT
Consumers.
Dependency on old system of billing
2.8 As per Clause-3.9 of Section-G111
of the Work Order, the work scope of
the system developer (TCS12
) included migration of the historic transactions for at
least three years from Power CBS to SAP. On verification of SAP application in
the selected 6 ESDs and 5 IRCAs, Audit observed that although the historic data
were migrated for three years, the same could not be opened and viewed in the
new System. As a result, the IRCAs/ESDs had to access the required data through
the old billing system (Power CBS) whenever necessary. The above contention
was confirmed during the field inspection of 6 ESDs and 5 IRCAs conducted by
Audit. During the said field inspection, the Company officials had mentioned
about the old court cases, when the ESDs/IRCAs had to trace out the details of the
consumers concerned (such as connected load and consumption) from the old
billing system. It was informed by the Company officials that due to non-
availability of said records in the new billing system, ESDs/IRCAs had no other
option but to depend on old billing system.
In the Exit Conference (20 November 2018), the Government/Company stated
that the Company had not felt the necessity to open and view all the past details of
bills as the same would have overloaded the system and hampered normal
business processes. It was further stated that to resolve any issue arising from old
11
General-Technical Specification of Letter of Award. 12
Tata Consultancy Services Limited.
Audit Report (PSUs) for the year ended 31 March 2018
36
court cases, the historical data would be saved in centralized data bank for any
future requirement.
The fact, however, remained that the historic data though migrated, was of no use
for the field units due to its inaccessibility in the new system. This defeated the
prime objective of migration of data from Power CBS to SAP.
Recommendation No. 2: The issue of inaccessibility of migrated data should be
addressed so that the field units do not need to depend on old billing system in
case of any need.
Training of Users
2.9 Training and development of manpower were closely linked with staff
resource planning. The training to staff by the Company on regular basis was
essential to fulfil the requirement of changing IT environment, which was a
continuous process.
Audit observed that the Company had not imparted any formal training on SAP
with its regular employees (intended System Users) in 4 out of 5 IRCAs and 2 out
of 6 ESDs test checked. As such, the Users were completely dependent on the IT
personnel of the Company and TCS for operating the new System. This led to
various anomalies in operation of the application by the Users as discussed in the
succeeding paragraphs:
Manual preparation of temporary connections bills
(i) As per tariff provisions, temporary connections (TC) were those against
which the electricity was supplied for a period not exceeding one month. During
field inspection of six selected ESDs by Audit, it was observed that though the
provision for processing of temporary connections bills was incorporated in the
system, five out of six selected ESDs did not process the temporary connections
bills through SAP system due to lack of adequate training to its staff. On the
contrary, it was noticed that the temporary connection bills in said five ESDs were
being prepared manually thereby leaving ample scope for human errors in
preparation of bills.
On verification of 230 cases of temporary connection under 5 ESDs, it was
observed that in 13 cases, there was short billing of ` 9,653 due to application of
incorrect tariff, calculation mistakes and short levy of electricity duty. In another
26 such cases, there was excess billing of ` 1,733 due to calculation mistakes,
excess levy of electricity duty etc.
Chapter II – Performance Audit relating to Power Sector PSUs
37
Manual preparation of assessment bills
(ii) On detection of various malpractices such as theft/misuse of electricity,
meter tempering, hooking and excess connected load, the Company was to
prepare assessment bills as per the methodology prescribed by Assam Electricity
Regulatory Commission (AERC) and serve the same to the consumer for
payment. Audit observed that though the provision for processing of assessment
bills was incorporated in the System, 5 out of 6 ESDs and 3 out of 5 IRCAs test
checked did not process assessment bills through SAP and these bills were
prepared manually. Out of 378 theft/misuse cases verified by Audit, anomalies
such as application of incorrect tariff/formula/electricity duty/energy
charges/meter rent were noticed in 56 cases leading to short-billing of ` 19.97
lakh.
As evident from the above, the Company failed to eliminate billing errors due to
the existence of human intervention in preparation of bills even after
implementation of SAP.
During the Exit Conference (20 November 2018), the Government/Company
stated that training was imparted selectively based on the concept of training of
trainers. It was, however, assured to impart required training with the System
Users wherever necessary. As regards the manual processing of bills, the
Government/Company stated that henceforth, all bills would be processed through
SAP system.
The reply was not tenable as the system was meant to be used by all the field
units, as such the choice of selective training was not justified. Further, there was
also failure on the part of the Company to address the instances of preparing the
bills manually by evaluating the effectiveness of training.
Thus, absence of proper training of the intended System Users had led to
existence of manual system of billing defeating the basic objective of the SAP
system.
Recommendation No. 3: Adequate training should be imparted to the System
Users so as to eliminate the scope of manual billing.
System Design Deficiencies
On review of the SAP application through data entry screens as well as the
analysis of data received from the Company, the following system design
deficiencies were noticed:
Audit Report (PSUs) for the year ended 31 March 2018
38
Meter Billing Collection (MBC) Module
Absence of vital business logic in the system
2.10 Clause 4.2.2.4 of the AERC Regulations stipulated that where actual meter
reading cannot be ascertained, the assessed quantity of energy consumed shall be
determined by taking the average consumption for the previous three months,
preceding the date on which the defect was detected or the next three months after
correction of the defect, whichever was higher.
Audit observed that the System was enabled to calculate the average consumption
for the previous three months automatically in case the meter became defective.
The System, however, had no provision to calculate revised average consumption
for next three months after correction of meter defect. Hence, in all such cases,
IRCAs/ESDs concerned had been doing this exercise manually. Further, the
system did not give any alert for raising of the supplementary energy bill in case
the revised average consumption for three months after rectification of meter
defect was higher than the average consumption of previous three months. During
the conduct of audit, 22 cases of defective meters relating to 3 IRCAs were test
checked, Audit observed that the revised average consumption in 5 out of
22 cases was higher than the previous average consumption. In absence of above
business logic in the system, supplementary bills were not served to the
consumers concerned resulting in short billing of revenue aggregating ` 32.40
lakh by the Company.
During the Exit Conference (November 2018), the Government/Company
accepted the facts and stated that the Company would incorporate necessary
provision in the system to raise alert in case the revised average consumption
(after replacement of meter) of any consumer recorded higher than the previous
consumption so that the consumers could be served with supplementary bill
through the system without manual intervention.
The fact, however, remains that design deficiencies in SAP system made it
unreliable for the purpose of raising supplementary bills.
Recommendation No. 4: Issue of supplementary bills after replacement of meter
is a normal practice in electricity business. Hence, the Company needs to rectify
the system defect at the earliest to avoid further loss of revenue .The Company
should internally examine similar issues in other IRCAs also.
Failure to establish interface with Common Meter Reading Instrument
2.11 As per Clause M15 of the Metering Module of Software Requirement
Specifications (SRS), the system should support the data downloading and
uploading from Common Meter Reading Instrument (CMRI). During field
Chapter II – Performance Audit relating to Power Sector PSUs
39
inspection (June-July 2018) of 5 out of 17 IRCAs test checked, Audit observed
that the data of HT consumers captured through CMRI in all the 5 IRCAs were
first downloaded to computers and then the meter reading data were manually fed
into the SAP system. The methodology adopted by the Company leaves the scope
for error while feeding the meter reading data manually into the System. As such,
the correctness and the accuracy of the consumption data maintained in SAP
could not be assured.
During the Exit Conference (20 November 2018), the Government/Company
stated that the provision of data downloading/uploading from/to CMRI in the
system had already been implemented. The Government/Company, however,
could not provide the exact date of implementation of the said supporting
provision to Audit. The Government/Company further accepted that some CMRIs
could not be interfaced with SAP due to compatibility issues.
The reply was not acceptable as the SAP system failed to establish interface with
CMRIs as on January 2019 as confirmed by field unit.
Recommendation No. 5: The Government/Company needs to address the
compatibility issues between SAP and the CMRIs to rule out the scope of any
human intervention in recording of the meter reading data into the System. The
Company should internally examine similar issues in other IRCAs also.
No provision for automatic calculation of processing fee
2.12 AERC specified (November 2017) rates of processing fees applicable for
various operations such as change in name/category/load of the consumer on
payment of the processing fees ranging between ` 20 to ` 5,000. Audit observed
that the System design was not enabled to calculate the processing fee
automatically in case of change in the load/name/category/phase of the consumer.
As such, the processing fee for any change in the consumer details was being
entered manually in the System leaving a scope for human errors. In 122 out of
301 cases of change in the load/name of the consumers in respect of five13
out of
six ESDs test checked, a short levy of processing fee of ` 14,950 was observed in
audit. Similarly, there was also excess levy of processing fee of ` 5,560 in another
53 cases test checked by Audit under the said 5 ESDs.
Thus, business rules were not properly programmed in the system, which allowed
the Users to enter processing fees manually. As a result, the System could not
ensure collection of processing fee in accordance with the provisions of AERC
Regulation.
13
Out of 17 ESDs where SAP was fully implemented
Audit Report (PSUs) for the year ended 31 March 2018
40
During the Exit Conference (20 November 2018), the Government/Company
accepted the facts and stated that the processing fee as prescribed by AERC
would be incorporated in the System to avoid such error in future.
The fact, however, remains that the Company kept the system for collection of
processing fee at the User’s choice, which led to violation of AERC Regulation.
Recommendation No. 6: The processing fees prescribed by AERC for various
purposes should be incorporated in the system immediately to eliminate the scope
for errors. The Company should internally examine similar issues in other ESDs
also.
Incorrect conversion of connected load from KW to KVA
2.13 As per the Schedule of Tariff (SoT), four categories of consumers (i.e. HT
Domestic, HT Commercial, HT Public Water Works and HT Small Industries
category) did not have a choice to opt separately for the Contract Demand.For the
purpose of levying the fixed charges in the case of said four categories of
consumers, the Contract Demand was to be worked out automatically through
system by converting the Connected Load (in KW) into Contract Demand (in
KVA). As such, the System should have been enabled to derive the Contract
Demand (KVA) of the said consumers through conversion of the Connected Load
(KW) after applying the power factor of 0.85. The fixed/demand charge
should accordingly be levied in the System for the said four categories of
consumers based on the Contract Demand so derived from the Connected Load
(100 per cent).
It was, however, seen that the convertible value of KW into KVA was entered
into the System manually, which led to determination of incorrect Contract
Demand and levying of incorrect fixed/demand charges on consumers. Analysis
of 58,861 transactions relating to 5,325 HT consumers in 17 IRCAs for the period
2016-17 revealed that the Contract Demand of the consumers was not correctly
entered into the System. In 3,063 cases pertaining to 270 consumers under
15 IRCAs, Contract Demand corresponded to 46 to 99 per cent of the Connected
Load. The understatement was in the range of 1 KVA to 311 KVA due to which
the Company short-billed an amount of ` 35.40 lakh towards fixed/demand
charges during 2016-17 against these consumers.
Further, the Contract Demand in other 5,231 cases pertaining to 496 consumers
under 17 IRCAs corresponded to 101 to 270 per cent of total Connected Load
resulted in overstatement of Contract Demand in these cases. The Contract
Demand of the consumers was overstated in the range of 1 KVA to 99 KVA due
to which there was excess billing of fixed charges by ` 9.67 lakh.
Chapter II – Performance Audit relating to Power Sector PSUs
41
Thus, absence of automatic conversion of KW in KVA rendered the system
unreliable for the purpose of calculating fixed charges in respect of the above
mentioned four categories of HT consumers.
During Exit Conference (20 November 2018), the Government/Company
accepted the facts and assured to rectify the defect in the System to avoid revenue
loss in future.
Recommendation No.7: The provision for auto-conversion of Connected Load
(KW) into Contract Demand (KVA) for the relevant categories of consumers
should be incorporated in the system immediately so as to eliminate reoccurrence
of such errors.
Processing of bills ignoring the basic logic
2.14 The electricity bill of a consumer should have been processed considering
the basic logic that a consumer with a connected load of 1 KW could consume a
maximum of 720 kwh14
in 30 days even if the consumer uses the full load
24 hours a day.
Audit observed that the System allowed processing of electricity bills ignoring
this basic logic. Analysis of data revealed that one LT domestic consumer
(No. 51000348063) having connected load of 1 KW was served with a bill for
99,428 KWH consumption for 31 days instead of a maximum possible
consumption of 744 KWH.
During the Exit Conference (20 November 2018), the Government/Company
accepted the observation and assured to incorporate necessary provisions in the
billing system so that a small consumer was not billed for abnormally high
consumption ignoring the basic logic.
Recommendation No. 8: The system should allow to process bills only after
considering the basic logic. To ensure this, the Company needs to incorporate
proper provision in the system with the help of system developer.
Mismatch of bill format
2.15 Analysis of bill format issued to the consumers revealed that some of the
basic consumer details like service connection number, billing status
(regular/assessed/provisional bill), previous payment details etc. were not
incorporated in the monthly electricity bill in violation of Clause 6.3.5 read with
6.3.13 of AERC Regulations.
During the Exit Conference (20 November 2018), the Government/Company
stated that there were some practical difficulties in setting of the bill format. The
14
1 KW x 24 Hours x 30 Days = 720 KWH
Audit Report (PSUs) for the year ended 31 March 2018
42
Government/Company, however, assured to modify the billing format shortly so
as to include all the relevant particulars in the electricity bill as far as practicable.
Recommendation No. 9: The Company needs to modify the billing format
immediately so that the bills generated through SAP system includes all relevant
details of consumers as prescribed by AERC.
Customer Relationship Management (CRM) module
Pending updation of Geographical Information System (GIS) database
2.16 As per the advisory issued by Power Finance Corporation Limited15
, it
was essential for the Company to have up-to-date GIS asset and consumer
information in the GIS repository at all times. Further, as per the Software
Requirement Specifications (SRS16
), while releasing a new service connection, a
request with information on connected load, connection type, consumer ID and
other details were to be transmitted through the System from the CRM Module to
GIS module. This exercise was essential to confirm whether the distribution
transformer (DTR) and feeder from which the connection was to be allowed had
the required capability to release the desired load to the consumer. In response to
such request, a Load Flow Analysis (LFA) Report was to flow from GIS to CRM
containing information on DTR Capacity/Loading, GIS feasibility (either positive
or negative), etc. and the said information/fields were to be stored in service
contract item.
Audit observed that the Company had never updated the GIS database for
ongoing changes in electrical network and consumers in field, which was a
continuous process. As a result, the GIS mapping of assets and consumer
information prepared for the project areas became outdated. Due to outdated GIS,
the ESDs had been by passing the requirement of load flow analysis by selecting
the option ‘Network feasibility not required’ at the time of releasing new service
connections in SAP. As such, new service connections were being released
without getting any LFA report from the GIS. Audit further observed that out of
456 new service connections released by 6 ESDs17
during April 2017 to June
2017, 396 connections (86.84 per cent) were released from overloaded DTRs. The
overloading of DTRs could result in increase in distribution losses as well as
possibilities of frequent breakdown of DTRs.
During Exit Conference (20 November 2018), the Government/Company assured
to explore the possibility of updating the GIS database so that no new connection
was released from overloaded DTRs.
15
A Government of India PSU appointed as Nodal Agency for implementation of R-APDRP
scheme under the guidance of Ministry of Power, Government of India. 16
Condition NC9 and NC26 of CRM module 17
Out of 17 fully SAP based ESDs
Chapter II – Performance Audit relating to Power Sector PSUs
43
The fact, thus, remains that due to absence of up-to-date GIS database, the
Company could not ensure the connected load of distribution transformers at
optimum level.
Recommendation No. 10: The Company needs to ensure regular updation of the
GIS database for successful implementation of CRM module.
System alert message for delay in issuing new connection
2.17 As per Clause 3.5 of AERC Regulations, the maximum prescribed time
limit for the new connection release in urban areas was 30 days from the date of
submission of registration form provided no extension work to existing network
was required and the pole distance from the premises of the consumer was less
than 30 meters.
Audit observed that the provision for generating alert message in case of delay in
release of connection was not incorporated in the system to facilitate timely
release of new connections. Audit observed that in 6 ESDs test checked, 650 out
of 1,366 service connections released during December 2017 to March 2018 had
been delayed for periods ranging from 1 to 840 days. Hence, timely release of
new service connections could not be ensured due to absence of necessary alert
system.
During the Exit Conference (20 November 2018), the Government/Company
assured to take necessary action in the matter to address the issue.
The fact, thus, remains that in absence of necessary alert system, the Company
could not release new service connections within the prescribed time limit.
Recommendation No. 11: The existence of necessary alert system helps in timely
release of new service connection. The Company needs to incorporate the same in
the system immediately to maximize consumer satisfaction. The Company should
internally examine similar issues in other ESDs also.
Web Self Service (WSS) Module
Designing of web portal and its associated facilities
2.18 The WSS Module was mapped in the portal18
to provide a high quality
experience for the consumers and make it easy for them to communicate with the
Company through the web instead of direct phone calls or visits. The portal also
acted as a source of information for the consumers regarding policies and
procedures of the Company. On checking of WSS Module, the audit observed the
following:
18
www.apdcl.org
Audit Report (PSUs) for the year ended 31 March 2018
44
• The web page contained the brief description about the Company, its
mandate, Board of Directors, power map, tariff rates, applicable Acts and Rules
etc. Login component was present and registered Users could login using the
username and password. New Users could also register by clicking on the ‘First
Time Users Register’ link. The ‘Forgot Password’ link was meant to help the
Users to retrieve their password. Further, the facility to lodge complaint and track
its status by the applicant also existed in the System.
• The portal facilitated for online application of new service connection
along with the option to upload scanned copies of necessary documents such as
passport, photo, affidavit, proof of ownership etc. The applicants could also check
their application status. The consumer could also make online payment of
electricity bills through various modes such as net-banking, debit/credit card,
NEFT/RTGS and e-wallets.
• The portal contained various interactive features, such as, Frequently
Asked Questions (FAQ), email facilities, feedback forms, presence of social
media links (facebook, twitter etc).
Hence, the web portal of the Company was appropriately designed duly
incorporating all possible provisions in the System as far as practicable to provide
quality experience to its consumers, thereby increasing the consumer satisfaction.
Energy Audit (EA) Module:
Anomalies in generation of Energy Audit Report
2.19 The purpose of implementing the Energy Audit (EA) Module was to
monitor important distribution parameters, capture hierarchical view of energy
accounting, intelligent analysis tools for plugging loopholes and identifying
revenue leakage and calculate/identify technical and commercial losses.
Audit observed that the system facilitates for EA at three levels19
. Ideally the
energy injected into the system should be either equal to or greater than energy
billed. On analysis of Energy Audit Report of 6,140 DTRs for the month of
March 2018 in respect of four project areas20
, Audit observed that in case of 2,533
DTRs, energy injected figure was recorded as 'Zero' while energy billed against
these DTRs was 35.02 MU which was not realistic. Similarly, in case of another
124 DTRs, the energy injected figure (i.e. 0.73 MU) was less than the energy
billed figure (i.e. 2.12 MU) which was not possible and indicated the existence of
defects in the System.
19
Project area wise, Feeder wise and DTR-wise 20
Guwahati, Nagaon, Jorhat and Tinsukia
Chapter II – Performance Audit relating to Power Sector PSUs
45
The Company accepted the facts and stated (November 2018) that it would look
into the matter and resolve the issue at the earliest.
The fact, however, remains that the DTR wise energy audit reports generated by
the System were not reliable and the same could not be used as analysis tools for
plugging loopholes and identifying revenue leakage.
Recommendation No. 12: The Company needs to rectify the deficiencies in EA
module immediately so that the system would generate correct energy audit
reports which can be used for further analysis purpose.
Mapping of business rules
The Company mapped business rules in the billing system in accordance with the
AERC Regulations and Schedule of Tariff (SoT) issued by AERC. Audit
observed the instances where business rules were not properly mapped as
discussed in the following paragraphs:
Meter Billing Collection (MBC) Module
Excess billing of Power Factor penalty
2.20 The Power factor (PF) is an indicator of the quality of design and
management of an electrical installation and the same is worked out as a ratio of
the total kilowatt-hour (KWH) to kilo volt-ampere hour (KVA) supplied during a
given period. The PF was recorded electronically by the energy meters and the
same was taken into account while preparing the bill of a consumer. As per SoT,
PF penalty at different slabs was to be levied on the consumer in case the monthly
average PF of the consumer ranged between 85 and 30 per cent. Hence, as per the
SoT, no PF penalty was leviable in case the PF fell below 30 per cent.
On analysis of 77,385 transactions of 6,969 HT consumers21
of 17 IRCAs for the
year 2016-17, Audit observed in 2,933 transactions pertaining to 618 consumers
under 17 IRCAs, PF penalty was imposed even though the PF fell below
30 per cent in violation of SoT. As a result, there was excess billing of PF penalty
amounting to ` 20.56 lakh.
During the Exit Conference (20 November 2018), the Government/Company
accepted that any penalty imposed not backed by any Rule/Act was irregular. The
Government/Company, however, assured to take up the matter with AERC for
their opinion.
The fact, however, remains that the logic for imposing power factor penalty was
mapped ignoring the provisions of SoT issued by AERC. 21
Six categories: HT Domestic, HT Commercial, Public Water Works, Bulk Supply
(Government), Bulk Supply (others), HT Small Industries category
Audit Report (PSUs) for the year ended 31 March 2018
46
Recommendation No. 13: The Company needs to map the business rules strictly
in adherence to SoT/AERC Regulations.
Non-incorporation of provision for minimum contract demand
2.21 As per SoT, the HT consumers under Tea, Coffee, Rubber category could
opt for seasonal tariff (April to August) or off-season tariff (September to March)
as per their convenience.
To avail the above option, the Contract Demand of such consumers
during seasonal and off-season period, should be at minimum prescribed level of
65 per cent and 26 per cent of the Connected Load respectively. Audit observed
that the provision regarding minimum Contract Demand for seasonal and off-
season period was not incorporated in the System. As a result, SAP system
allowed fixing Contract Demand below the minimum prescribed level in violation
of SoT.
The analysis of 4,261 transactions of 865 consumers under 17 IRCAs for the
period April 2016 to August 2016 revealed that in 83 transactions pertaining to
19 consumers under 7 IRCAs, the seasonal Contract Demand ranged between
25 and 64 per cent of total connected load against minimum Contract Demand of
65 per cent leading to short-billing of ` 7.89 lakh in the form of demand charges.
Similarly, out of 6,036 transactions of other 885 consumers under 17 IRCAs, in
19 transactions pertaining to 10 consumers under 6 IRCAs for the period
September 2016 to March 2017, the off-seasonal Contract Demand ranged
between 16 and 25 per cent against minimum contract demand of 26 per cent
of total connected load. As a result, the Company short-billed an amount of
` 0.90 lakh in the form of demand charges.
During the Exit Conference (20 November 2018), the Government/Company
assured to look into the matter and incorporate the necessary provisions for
seasonal and off-seasonal demand in case of Tea, Coffee & Rubber category of
consumers.
Recommendation No. 14: The provision for minimum contract demand for
seasonal and off-season consumers under HT Tea, Coffee and Rubber category
should be incorporated in the system immediately to avoid further loss of revenue.
Wrong categorization of consumers due to lack of validation check
2.22 Proper categorization of consumers was essential for ensuring correct and
accurate billing of energy supplied so as to eliminate any scope for under or over
recovery of electricity charges. To achieve this, the System should have proper
validation checks of data with reference to the applicable category and Connected
Load/Contract Demand of the consumer. Audit observed that there was absence
Chapter II – Performance Audit relating to Power Sector PSUs
47
of data validation checks in the System due to which the following cases of wrong
categorization came to the notice of Audit:
(i) As per SoT, the consumers (exclusively domestic) having Connected Load
of (i) below 5 KW and (ii) 5 KW or more but below 20 KW; were to be
categorized as ‘Domestic-A’ and ‘Domestic-B’ consumers respectively. The
applicable tariff in case of Domestic-B category was higher than that of
Domestic-A category of consumers.
Audit observed that 1,485 consumers having Connected Load in the range 5 KW
to below 20 KW during the year 2016-17 under all 17 ESDs22
were billed as
Domestic-A instead of Domestic-B category in violation of SoT due to wrong
classification of consumers in the System. As a result, the Company short-billed
an amount aggregating ` 12.21 lakh in respect of these consumers. Besides, these
consumers had also irregularly availed the benefit of Government subsidy of
` 6.91 lakh despite their being not eligible for the same.
(ii) Similarly, as per SoT, the industrial consumers having Contract Demand
between 25 to 50 KVA and 50 to 150 KVA were to be categorized as ‘HT-Small
Industry’ and ‘HT-I Industry’ respectively. The applicable tariff was accordingly
higher in case of HT-I Industry category.
On analysis of 11,477 transactions of 1,042 HT Small Industry consumers in 17
IRCAs, it was noticed that in 26 transactions of 3 consumers in 3 IRCAs,
categorisation was wrongly done in the System as HT-Small Industry instead of
HT-I Industries during the year 2016-17. As a result, the Company short-billed an
amount of ` 2.10 lakh due to billing the consumers at lower tariff.
(iii) As per SoT, the industrial consumers having Contract Demand between
50 to 150 KVA and above 150 KVA were categorized as ‘HT-I Industry’ and
‘HT-II Industry’ respectively. Accordingly, the tariff was higher in case of HT-II
Industry category.
On analysis of 1,621 transactions of 153 HT-I Industries consumers in 15 IRCAs
for the year 2016-17, it was seen that 57 transactions of 9 consumers under 7
IRCAs were wrongly categorized under HT-I Industries instead of HT-II
Industries. As a result, there was short billing to the extent of ` 9.56 lakh in these
cases.
Further, on analysis of 637 transactions of 69 HT Industries consumers for the
year 2016-17 in 12 IRCAs, it was seen that 10 transactions of 3 consumers in 1
IRCA were wrongly categorized as HT-II Industries instead of HT-I Industries.
As a result, there was excess billing of ` 2.15 lakh against these consumers.
22
Where SAP was fully implemented
Audit Report (PSUs) for the year ended 31 March 2018
48
Therefore, lack of proper validation checks in the system resulted in wrong
categorisation of consumers. This led to incorrect billing and grant of government
subsidy to ineligible consumers.
During the Exit Conference (20 November 2018), the Government/Company
stated that at present, necessary validation checks have been placed in the System
to maintain proper rate category in accordance with Connected Load/Contract
Demand of a consumer. The Government/Company further assured to explore the
possibility of recovering the short-billed amount from the consumers, which
occurred due to incorrect classification of consumers.
The fact, however, remains that the Company suffered loss of revenue due to
absence of proper validation checks in the system.
Recommendation No. 15: The Company needs to recover the short-billed amount
from the consumers concerned, which had occurred due to wrong categorization
of consumers. The Company should internally examine similar issues in other
ESDs also.
Anomalies in calculation of revised security deposit
2.23 Clause 6.2.1.2.1 of the AERC Regulations stipulated that the amount of
security deposit obtainable from a consumer should be reviewed every year based
on the actual consumption of the consumer during the previous year. The
consumer was accordingly required to pay additional security deposit or be
refunded any excess amount of security deposit held by the Company beyond the
stipulated amount.
Audit observed that although the System was enabled to calculate the revised
security deposit, the security deposit of consumers were revised through SAP
system only in 223
out of 5 IRCAs test checked. In the remaining 3 IRCAs,
however, the security deposit was revised manually as and when required. In this
connection, following anomalies were noticed:
(i) Refundable logic at the choice of the user: The logic for demand/refund
of the security deposit should have been automatically processed and adjusted in
the monthly bills by the System. On analysis of data, relating to the security
deposit of 2,805 consumers revised through SAP in respect of Guwahati IRCA-I
for the year 2016-17, Audit observed that in respect of 767 consumers, the
company held a security deposit amount, which was higher than the revised
security deposit calculated by the System. The differential amount of ` 10.93
crore was, however, not refunded to the consumers through adjustments in
subsequent electricity bills. Similarly, on analysis of data relating to security
23
Guwahati IRCA-I (2015-16 and 2016-17) and Tinsukia IRCA (2016-17)
Chapter II – Performance Audit relating to Power Sector PSUs
49
deposit of 511 consumers revised through SAP in respect of Tinsukia IRCA for
the year 2015-16, Audit observed that the System failed to refund ` 1.09 crore
through automatic adjustment in electricity bills in respect of 73 consumers whose
revised security deposit was less than the original security deposit.
During the Exit Conference (20 November 2018), the Government/Company
stated that there was option of refund of excess security deposit in the System and
the same was placed at the disposal of the field offices. The
Government/Company further mentioned that since high rate of interest was
payable on security deposit, it was wise for the Company to refund the excess
security deposit. The Government/Company assured to attempt designing the
System in such a way that no provision of AERC Regulation was violated.
The contention of the Government/Company regarding placing the option of
security refund at the disposal of field offices was not acceptable as refund of
excess security deposit was mandatory as per AERC Regulation. Hence, any
refund of excess security deposit should have been automatically adjusted in
monthly bills in the same way as recovery of additional security deposit was
effected through adjustment in bills.
Recommendation No. 16: The Company needs to design the system in such a way
that the refund amount gets automatically adjusted in the subsequent bills of the
consumer on revision of security deposit instead of placing the same at User’s
discretion.
(ii) Non-consideration of interim payments made by consumers: The
exercise for revision of security deposit was carried out on 20 December 2017
based on the consumption for the year 2016-17. While calculating the amount of
additional security deposit, the System should have taken into account all the
payments made by the consumers towards security deposit till the date of
revision. On analysis of data relating to the security deposit of 2,805 consumers
revised through SAP in respect of Guwahati IRCA-I for the year 2016-17, Audit
observed that the system did not consider payments aggregating ` 3.39 crore
made by the 448 consumers towards security deposit between 31 March 2016 and
20 December 2017. As a result, the consumers were asked to pay additional
security deposit, which they were not actually liable for. On receipt of complaints
from consumers, the same had to be rectified by the Company manually.
The Company accepted (November 2018) that the procedure followed for not
considering interim payment for calculation of additional security deposit was
incorrect. The Company further assured to immediately re-check the logic and
rectify the same so that there were no complaints from consumers.
Audit Report (PSUs) for the year ended 31 March 2018
50
The fact, however, remains that the System kept in place for revision of security
deposit failed to ensure accuracy in calculation and hence, the same was
unreliable.
Recommendation No. 17: The System should consider all payments made by the
consumer towards security deposit till the date of revision while calculating the
amount of additional security deposit. To ensure this, the Company needs to map
the business logic accordingly with the help of system developer.
Application and Security Controls
Application controls
Application controls pertain to specific computer applications. These application
controls help to ensure the proper authorization, completeness, accuracy, and
validity of transactions, maintenance and other types of data input. The absence of
application controls such as input control and processing controls were noticed in
the SAP system, which have been elaborated under the following paragraphs:
Input controls
Acceptance of invalid PIN Codes
2.24 All the possible Postal Index Number (PIN) codes of different localities of
the State should have been incorporated in the system so as to provide an effective
validation check against the entry of invalid PIN codes for any electricity
connections. Audit observed that in 19,094 out of 21,618 transactions processed
by Basistha ESD for the month of March 2018, the PIN code was mentioned as
‘000000’ which was incorrect and should not have been accepted by the System.
This implied that there was absence of data validation check with respect to input
entry of PIN code.
During the Exit Conference (20 November 2018), the Government/Company
assured to conduct Know Your Customer (KYC) process in all ESDs and IRCAs
to incorporate the correct PIN code in the personal details of each consumer.
Recommendation No.18: The Company needs to incorporate proper validation
checks in place to ensure acceptance of correct PIN codes by the system.
Acceptance of unusual meter numbers
2.25 To ensure the accuracy and authenticity of the data input, the System
should have appropriate in-built control for automatic check of the input data
entries. Audit observed that in 3 out of 178 consumers details (LT Domestic-A)
test checked in Basistha Sub Division for the year 2017-18, meter numbers were
Chapter II – Performance Audit relating to Power Sector PSUs
51
found captured by the System with unusual patterns (viz. AS128048_1,
AS066821_1, 460862_1). As such, the possibility of processing the transactions
with arbitrary meter numbers through SAP system could not be ruled out.
During the Exit Conference (20 November 2018), the Government/Company
stated (November 2018) that when a meter was replaced and the same meter was
reissued to a different consumer, the meter numbers were being entered in the
System with a combination of special characters and number as SAP only allowed
input entry of unique meter numbers.
The reply was indicative of the fact that there was a possibility of processing
transactions with forged meter numbers through SAP System.
Recommendation No. 19: The Company needs to address the issue of accepting
unusual meter number through appropriate modification in the system logics.
Processing controls
Processing of transactions without pole number
2.26 The LT consumers were provided the connection from a particular pole
attached to a DTR. Hence, it was essential that every LT consumer should have a
pole number assigned to it. Audit observed that in Garbhanga ESD (2017-18), 36
out of 2,96,533 transactions under LT category were processed without assigning
any pole number. In absence of the pole number details in the System, the exact
location of the consumer could not be ascertained. Further, absence of this
information in the System would also create difficulties in updating of the GIS
database.
During the Exit Conference (20 November 2018), the Government/Company
accepted that pole number was an essential information and it must be displayed
in all the transactions of consumers. The Government/Company also assured to
look into the matter and resolve the issue at the earliest.
Recommendation No. 20: The Company needed to address the issue of
processing transactions without pole number at the earliest to overcome the
difficulties that might arise during updation of GIS database.
Processing of bills for abnormal billing cycles
2.27 Clause 6.2.6.1 of AERC Regulations stipulated that the billing cycle of
consumers should normally be 30 days. However, the billing cycle could be
extended upto 60 days in special circumstances with proper communication to the
consumer concerned. On analysis of billing data, Audit observed that
22 transactions pertaining to 10 consumers were processed by the System for a
period ranging from 116 to 1,889 days in violation of AERC Regulations.
Audit Report (PSUs) for the year ended 31 March 2018
52
During the Exit Conference (20 November 2018), the Government/Company
stated that the provision for higher billing cycle than prescribed was kept in the
System to take care of the exceptional cases such as regularizing the irregular
connections and billing the unbilled consumers. The Government/Company
further assured to look into the issue for appropriate action.
The fact, however, remained that there was no provision in the System to indicate
the reason for processing bills beyond the prescribed billing period.
Recommendation No. 21: It is recommended that the Company should
incorporate necessary provision in the system to indicate proper reason while
processing bills for period more than the prescribed billing period.
Processing of unusual transactions
2.28 On analysis of 5,05,939 transactions of 43,881 LT consumers in Basistha
ESD for the year 2017-18, Audit observed the following unusual transactions:
• Two bills having same consumer ID (51000281910) were processed with
same bill date (7 May 2017), bill period, bill amount, kWh consumption,
document number but with different combination of previous and current reading.
This indicated existence of bill processing issues in the System providing scope
for processing more than one bill against the same document number.
• Three transactions of a consumer ID (51000289557) were processed with
doubtful meter readings, wrong calculation of energy charge, different meter
numbers and wrong consumer ID pattern etc.
• In case of ‘Zero’ consumption recorded during a billing cycle, the
consumer concerned should be billed for the minimum fixed charges. Audit
observed that in 242 transactions having ‘Zero’ consumption, no billing was done
by the System.
• In 8,352 transactions, although energy consumption was found to be
recorded as ‘Zero’, no provision in the System was present to indicate the reason
for the same.
• As the System allowed processing of unusual transactions, the possibility
of errors in billing data could not be ruled out.
During the Exit Conference (20 November 2018), the Government/Company
assured to verify the data analysed by Audit and take appropriate steps to resolve
the issues pointed out.
Recommendation No. 22: The Company should place proper control mechanism
in the System so that there is no scope for processing of unusual transactions.
Chapter II – Performance Audit relating to Power Sector PSUs
53
Output controls
Consideration of power factor with three decimal places
2.29 AERC Regulations stipulated that the PF ratio should be determined after
rounding off the figures to two decimal places. Audit observed that the System
did not round off the PF ratio to two decimal places. As a result, while processing
the bills, the digit in the third place was considered for calculation of PF
penalty/rebate leading to short and excess recovery of electricity charges. On
analysis of 77,385 transactions of 6,969 HT consumers in 17 IRCAs for the year
2016-17, Audit observed that there was a short recovery of energy charges
aggregating ` 6.01 lakh in 5,305 transactions of 2,099 consumers, while there was
an excess recovery of ` 9.44 lakh in another 7,061 transactions of 2,391
consumers.
During the Exit Conference, the Government/Company stated (20 November
2018) that the facility was provided at the disposal of the End Users to enter the
PF readings in the billing system. It was further stated that in the case of
automatic meter reading (AMR) based consumers (all HT consumers), the AMR
meters were pushing Average Power Factor Readings up to 3 Digits.
The reply was not acceptable as the SAP application should be configured to
round off the readings upto 2 decimal places so that it was processed as per the
provisions of AERC Regulation.
Recommendation No. 23: The Company should either modify the system to round
off the PF ratio to two decimal places as per AERC Regulations or in case of any
practical difficulties in modifying the system, it should pursue the matter with
AERC for necessary modification in the Regulations.
Duplicate generation of bills
2.30 On analysis of 1,77,789 transactions of 15,117 Domestic-A consumers in
Basistha ESD for the period 2017-18, Audit observed that the transactions of 341
consumers appeared 20 to 48 times against maximum possible 12 transactions in a
year considering the billing cycle of 30 days. This indicated a lack of output
control in the System leading to existence of same bill in the database for multiple
times. As a result, the System would be overloaded with unnecessary billing data
hampering its efficiency considerably.
During Exit Conference (20 November 2018), the Government/Company stated
that the data analysed by Audit would be checked for further reply from their end.
Recommendation No. 24: The Company needs to incorporate proper output
controls in the system to address the issue of generating duplicate bills.
Audit Report (PSUs) for the year ended 31 March 2018
54
Security Controls
2.31 A well-thought comprehensive IT policy demonstrates the ability of an
organization to reasonably protect all business critical information and related IT
information processing assets from loss, damage or abuse. It was, thus, important
for the Company to establish an appropriate IT policy to ensure effective
operation of the IT system and safety/security of its database. IT Policy of the
Company envisaged following two basic levels of controls:
Physical Access Controls: These controls restrict the physical access of the
System to the authorised Users only; and
Logical Access Controls: This protection mechanism limits User’s access to
information relevant to their work profile only besides restricting the forms of the
User’s access on the System to only what was appropriate for them.
Audit observed that even though the Company had implemented the computerized
billing System in the organisation, it had not devised and adopted an appropriate
IT Policy so far (December 2018). The following observations have been noticed
in this regard:
Weak Environmental Controls
2.32 For a secured IT set up, well-planned environmental controls were
necessary to protect the hardware in case of any accident or mishap including the
incidence of fire. Physical verification of IT Setup of 6 ESDs and 5 IRCAs
revealed that no fire extinguishers or fire alarm system had been installed in any
of the ESDs/IRCAs for protection against fire.
In the Exit Conference (20 November 2018), the Government/Company assured
to place fire extinguisher/fire alarm system in ESDs and IRCAs so as to maintain
a healthy environment for IT set-up in all offices.
Recommendation No. 25: It is recommended that the Company should
immediately install fire extinguishers/fire alarm system to ensure protection of the
hardware against the incident of fire.
Secured mode of login
Password Policy
2.33 The most common form of logical access control was login identifiers
(IDs) followed by password authentication. To ensure effectiveness of the
passwords, there must be appropriate password policy and procedures in place,
which should be followed by all the Users. To ensure effective control on the
access to the System, password policy could define the requirements regarding
Chapter II – Performance Audit relating to Power Sector PSUs
55
minimum password lengths, forcing change of the password at regular time
intervals and automatically rejecting purely numerical passwords, etc.
Audit observed that the Company had not devised and put in place any password
policy so far (December 2018). As a result, the Users could set easy passwords
and keep the same unchanged for long periods. As such, in absence of a well-
defined password policy, the database of the Company was vulnerable against the
risk of unauthorised access and manipulation, which was not in the interest of the
Company.
In reply, the Company assured (November 2018) to incorporate an appropriate
password policy in the System binding the Users to change passwords at an
interval of every 30 days to ensure proper security of authorised User login.
Recommendation No. 26: The Company needs to formulate and adopt an
appropriate password policy to ensure security of database against the risk of
unauthorised access and manipulation.
Use of biometric devices
2.34 As per Clause 2.2 of the work order issued to the system developer, the
login in the computer systems for commercial applications like, Metering, Billing
and Collection Modules had to be only through biometrics authentication system
Audit observed that 4 out of 5 IRCAs and 4 out of 6 ESDs test checked did not
use biometric devices for login purpose. Absence of biometric authentication
system to login into the System leaves the scope for unauthorized access to data.
During the Exit Conference (20 November 2018), the Government/Company
stated that as the login would be based on finger scanning, the same would be
applicable to a particular User. As such, in case the regular User remained on
leave, the System would not be accessible by the alternate User making it difficult
to attend the work even in case of necessity.
The reply was not acceptable as the concern of the Government/Company could
be addressed by incorporating appropriate provision in the System authorising the
alternate User with administrative privilege to access computer and perform the
job of absentee User.
Recommendation No. 27: It is recommended that the Company should adopt the
methodology of login into the system through biometric devices to eliminate the
scope for unauthorised access to data.
Audit Report (PSUs) for the year ended 31 March 2018
56
Outcome of implementation of SAP based Computerised Billing System
2.35 The main objective of implementation of SAP based Computerised Billing
System was to reduce the aggregate technical and commercial (AT&C) loss of the
Company. The Company installed SAP based billing application in case of
8.86 lakh24 (20.48 per cent) out of its total 43.28 lakh consumers in a phased
manner during the period from March 2013 to March 2016. The impact on the
performance of the Company in areas where the SAP based Centralised Billing
System was implemented improved considerably which is shown in Table 2.3
below:
Table 2.3: Details of Billing & Collection efficiency and AT&C loss after
implementation of SAP based Computerised Billing System
Year
SAP based project areas
Billing efficiency Collection efficiency AT&C loss
(in percentage)
2015-16 70.09 90.93 36.27
2016-17 82.03 98.03 19.58
2017-18 84.02 100.00 15.98
As seen from above, the billing efficiency25
of the SAP based project areas was
increased from 70.09 per cent (2015-16) to 84.02 per cent (2017-18). As regards
the collection efficiency, the same was increased from 90.93 per cent (2015-16) to
100 per cent (2017-18). Consequently, the AT&C loss of the SAP based project
areas reduced from 36.27 per cent (2015-16) to 15.98 per cent (2017-18) which
contributed in improving the overall performance of the Company.
Recommendation No. 28: Considering the significant advantages of
implementation of SAP based Computerised Billing System in respect of 8.86 lakh
consumers (20.48 per cent), the Company needs to ensure that SAP based
Computerised Billing System is extended to the remaining 79.52 per cent
consumers also at the earliest.
Conclusion
• The Company neither had conducted any Feasibility study nor had
properly documented the migration process of consumer data to new System. This
was indicative of deficient planning and implementation of the SAP System. The
24
Comprising 8.69 lakh LT consumers and 0.17 lakh HT consumers. 25
Inspite of Computerised system, billing efficiency was not 100 per cent because, the meter
reading in case of LT consumers are still done manually.
Chapter II – Performance Audit relating to Power Sector PSUs
57
Company had also not provided the necessary training to the System Users
leaving scope for human intervention in its day-to-day operations, which was
undesirable and against the basic objective of the System.
• System design deficiencies existing in the Meter Billing Collection
(MBC), Customer Relationship Management (CRM) and Energy Audit (EA)
Modules led to various anomalies such as non-serving of supplementary bills,
non-interfacing with CMRI, wrong billing of fixed charges due to incorrect
conversion of KW into KVA, processing of bills ignoring basic logic, overloading
of distribution transformers, delay in release of new service connections,
generation of incorrect energy audit report etc. Besides, Geographical Information
System (GIS) was not operative in absence of regular updation. As such, the
intended benefits of implementing MBC and CRM module could not be achieved
to the desirable extent.
• Incorrect mapping of business rules coupled with inadequate validation
checks in place led to short and excess recovery of electricity charges from
consumers in violation of the Electricity Supply Code and Related Maters
Regulations and Schedule of tariff issued by AERC. Wrong categorization of
consumers, non-incorporation of minimum contract demand, inaccuracy in
calculation of power factor penalty, non-refund of excess security showed
deficiency of the billing system. The above deficiencies in the System have led to
large-scale human interventions in the billing operations of the Company
disregarding the concept of computerisation.
• The application controls of the System were not adequate for ensuring
accuracy and integrity of data. This led to processing of transactions with invalid
PIN codes, unusual meter numbers, generation of bills with NIL amount in case
of zero consumption instead of raising bills at minimum fixed charges etc.
Further, an IT Policy was not clearly defined and as such, strict enforcement of
the same could not ensure compromising with the security and safety of the
System.